Skip to content

fix: improve misleading authorizer log message for non-Lambda authorizers#8912

Open
roger-zhangg wants to merge 1 commit intodevelopfrom
fix/misleading-authorizer-log
Open

fix: improve misleading authorizer log message for non-Lambda authorizers#8912
roger-zhangg wants to merge 1 commit intodevelopfrom
fix/misleading-authorizer-log

Conversation

@roger-zhangg
Copy link
Copy Markdown
Member

@roger-zhangg roger-zhangg commented Apr 10, 2026

Which issue(s) does this change fix?

#7750

Why is this change necessary?

When using sam local start-api with an HttpApi that has DefaultAuthorizer: AWS_IAM and EnableIamAuthorizer: true, the log message is misleading:

Linking authorizer skipped for route '/example', authorizer 'None' is unsupported or not found

Two bugs:

  1. The log prints route.authorizer_name (None) instead of authorizer_name_lookup (AWS_IAM)
  2. The message does not distinguish between a known non-Lambda authorizer (like AWS_IAM) and a truly missing/invalid authorizer

How does it address the issue?

  • Adds a _NON_LAMBDA_AUTHORIZERS set ({"AWS_IAM", "NONE"}) to ApiCollector
  • For known non-Lambda authorizers, logs an INFO message clarifying it is not supported for local emulation: 
    Authorizer 'AWS_IAM' for route '/example' is not supported for local emulation, requests will not be authorized
  • For truly missing/unknown authorizers, logs a WARNING: 
    Authorizer 'NonExistentAuth' for route '/test' was not found, skipping
  • Both cases now correctly log the actual authorizer name instead of None

What side effects does this change have?

  • The log level for missing authorizers changes from INFO to WARNING, which is more appropriate since it likely indicates a template issue.
  • The log message text changes, which could affect users who parse log output.

Mandatory Checklist

PRs will only be reviewed after checklist is complete

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@roger-zhangg
fix: improve misleading authorizer log message for non-Lambda authori…
af82510 
…zers

When an HttpApi uses AWS_IAM as DefaultAuthorizer, the log incorrectly
shows 'authorizer None is unsupported or not found'. This fixes the log
to use the actual authorizer name and differentiates known non-Lambda
authorizers from truly missing ones.

Fixes #7750
@roger-zhangg roger-zhangg requested a review from a team as a code owner April 10, 2026 22:33
reedham-aws
reedham-aws reviewed Apr 10, 2026
View reviewed changes
samcli/lib/providers/api_collector.py

class ApiCollector:
# Authorizer types that are valid but not Lambda-based, so cannot be emulated locally
_NON_LAMBDA_AUTHORIZERS = {"AWS_IAM", "NONE"}
Copy link
Copy Markdown
Contributor

@reedham-aws reedham-aws Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would Cognito authorization need to be included here? I'm not sure if we accept that or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reedham-aws reedham-aws reedham-aws left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

pr/internal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roger-zhangg @reedham-aws